Not yet stable across Firefox and Safari

A count of the number of APIs are in Browser X but not in Browser Y.
	Not in Firefox	Not in Safari
In Firefox		38
In Safari	12

API	First Browser	Date	Days in Limbo	Notes
http.headers.Access-Control-Allow-Headers.authorization_not_covered_by_wildcard	Firefox	7/4/2023	989
http.headers.Activate-Storage-Access 📋	Firefox	1/13/2026	65
http.headers.Authorization.Digest.SHA-256	Firefox	10/5/2021	1626
http.headers.Content-Security-Policy.block-all-mixed-content	Safari	9/20/2016	3467	Chrome: Will be removed, see bug 40260100.Chrome Android: Will be removed, see bug 40260100.Edge: Will be removed, see bug 40260100.Quest Browser: Will be removed, see bug 40260100.Opera: Will be removed, see bug 40260100.Opera Android: Will be removed, see bug 40260100.Samsung Internet: Will be removed, see bug 40260100.WebView Android: Will be removed, see bug 40260100.
http.headers.Content-Security-Policy.form-action.blocks_redirects	Safari	4/12/2018	2898
http.headers.Content-Security-Policy.prefetch-src	Safari	1/23/2023	1151
http.headers.Content-Security-Policy.require-trusted-types-for 📋	Safari	9/15/2025	185
http.headers.Content-Security-Policy.script-src.inline-speculation-rules	Safari	12/12/2025	97
http.headers.Content-Security-Policy.script-src.trusted-types-eval 📋	Safari	9/15/2025	185
http.headers.Content-Security-Policy.trusted-types 📋	Safari	9/15/2025	185
http.headers.Cross-Origin-Embedder-Policy.credentialless 📋	Firefox	10/24/2023	877
http.headers.Cross-Origin-Opener-Policy.noopener-allow-popups 📋	Safari	3/31/2025	353
http.headers.DNT	Firefox	3/22/2011	5476
http.headers.Early-Data 📋	Firefox	1/23/2018	2977
http.headers.Idempotency-Key 📋	Firefox	2/4/2025	408	Firefox: Automatically adds a unique 64-bit key for POST requests when needed, if not set in JavaScript.
http.headers.Integrity-Policy 📋	Firefox	11/11/2025	128	Firefox: Reporting `endpoints` are ignored (violations are logged to console).Firefox for Android: Reporting `endpoints` are ignored (violations are logged to console).
http.headers.Integrity-Policy.blocked-destinations_script 📋	Firefox	11/11/2025	128
http.headers.Integrity-Policy.blocked-destinations_style 📋	Firefox	8/19/2025	212
http.headers.Integrity-Policy-Report-Only 📋	Firefox	11/11/2025	128	Firefox: Reporting `endpoints` are ignored (violations are logged to console).Firefox for Android: Reporting `endpoints` are ignored (violations are logged to console).
http.headers.Integrity-Policy-Report-Only.blocked-destinations_script 📋	Firefox	11/11/2025	128
http.headers.Integrity-Policy-Report-Only.blocked-destinations_style 📋	Firefox	8/19/2025	212
http.headers.Origin-Agent-Cluster 📋	Firefox	4/29/2025	324
http.headers.Priority 📋	Firefox	7/9/2024	618
http.headers.Report-To	Firefox	9/3/2024	562
http.headers.Sec-Fetch-Storage-Access 📋	Firefox	1/13/2026	65
http.headers.Sec-Fetch-User 📋	Firefox	7/13/2021	1710
http.headers.Sec-GPC 📋	Firefox	11/21/2023	849	Firefox: Opt-in to GPC using the Website Privacy Preference setting (`about:preferences#privacy`) checkbox 'Tell websites not to sell or share my data', or by setting the preference `privacy.globalprivacycontrol.enabled` to `true`.Firefox for Android: Opt-in to GPC using the Enhanced Tracking Protection toggle 'Tell web sites not to share & sell data', or by setting the preference `privacy.globalprivacycontrol.enabled` to `true`.
http.headers.Sec-Purpose 📋	Firefox	7/4/2023	989
http.headers.Sec-Purpose.prefetch	Firefox	7/4/2023	989	Chrome: Doesn't support `Sec-Purpose` for `<link rel="prefetch">`. In Chrome, the legacy `Purpose: prefetch` header is used to indicate a `link` request is a prefetch. See bug 40236973.Chrome Android: Doesn't support `Sec-Purpose` for `<link rel="prefetch">`. In Chrome Android, the legacy `Purpose: prefetch` header is used to indicate a `link` request is a prefetch. See bug 40236973.Edge: Doesn't support `Sec-Purpose` for `<link rel="prefetch">`. In Edge, the legacy `Purpose: prefetch` header is used to indicate a `link` request is a prefetch. See bug 40236973.Firefox: `Sec-Purpose: prefetch` replaces the non-standard `X-moz: prefetch` header that was used to indicate a `link` prefetch request in earlier versions.Firefox: Prefetch requests should also include the header `Accept` header string for navigations, but `Accept: /` is sent instead.Firefox for Android: `Sec-Purpose: prefetch` replaces the non-standard `X-moz: prefetch` header that was used to indicate a `link` prefetch request in earlier versions.Firefox for Android: Prefetch requests should also include the header `Accept` header string for navigations, but `Accept: /` is sent instead.Quest Browser: Doesn't support `Sec-Purpose` for `<link rel="prefetch">`. In Quest Browser, the legacy `Purpose: prefetch` header is used to indicate a `link` request is a prefetch. See bug 40236973.Opera: Doesn't support `Sec-Purpose` for `<link rel="prefetch">`. In Opera, the legacy `Purpose: prefetch` header is used to indicate a `link` request is a prefetch. See bug 40236973.Samsung Internet: Doesn't support `Sec-Purpose` for `<link rel="prefetch">`. In Samsung Internet, the legacy `Purpose: prefetch` header is used to indicate a `link` request is a prefetch. See bug 40236973.WebView Android: Doesn't support `Sec-Purpose` for `<link rel="prefetch">`. In WebView Android, the legacy `Purpose: prefetch` header is used to indicate a `link` request is a prefetch. See bug 40236973.
http.headers.Sec-Purpose.speculationrules	Safari	12/12/2025	97
http.headers.Sec-Speculation-Tags 📋	Safari	12/12/2025	97
http.headers.Server-Timing.trailer	Firefox	12/10/2019	2291	Firefox: Only the `Server-Timing` header is a recognized trailer, and it is only exposed to DevTools in the network Timing tab (bug 1403051). Developers cannot access trailers via the Fetch API or XHR.Firefox for Android: Only the `Server-Timing` header is a recognized trailer, and it is only exposed to DevTools in the network Timing tab (bug 1403051). Developers cannot access trailers via the Fetch API or XHR.
http.headers.Service-Worker-Navigation-Preload 📋	Safari	3/14/2022	1466
http.headers.Set-Cookie.SameSite.Lax_default	Firefox	9/3/2019	2389
http.headers.Set-Cookie.SameSite.none_requires_secure	Firefox	10/1/2024	534
http.headers.Set-Cookie.SameSite.schemeful	Firefox	7/28/2020	2060
http.headers.Set-Cookie.http_host-http_prefixes	Firefox	9/16/2025	184	Firefox: `__Host-Http-` is supported under its original name `__HostHttp-`. See bug 1982555.Firefox for Android: `__Host-Http-` is supported under its original name `__HostHttp-`. See bug 1982555.
http.headers.Set-Login 📋	Firefox	4/29/2025	324
http.headers.Speculation-Rules 📋	Safari	12/12/2025	97
http.headers.Trailer 📋	Firefox	12/10/2019	2291	Firefox: Only the `Server-Timing` header is a recognized trailer, and it is only exposed to DevTools in the network Timing tab (bug 1403051). Developers cannot access trailers via the Fetch API or XHR.Firefox for Android: Only the `Server-Timing` header is a recognized trailer, and it is only exposed to DevTools in the network Timing tab (bug 1403051). Developers cannot access trailers via the Fetch API or XHR.
http.headers.WWW-Authenticate.Digest.SHA-256	Firefox	10/5/2021	1626
http.headers.X-DNS-Prefetch-Control	Firefox	10/24/2006	7086
http.mixed-content.allow_file_urls 📋	Firefox	8/6/2013	4608
http.mixed-content.allow_localhost_url 📋	Firefox	12/15/2020	1920
http.mixed-content.allow_loopback_url 📋	Firefox	8/8/2017	3145
http.mixed-content.auto_upgrade_images 📋	Firefox	6/11/2024	646	Firefox: Set `security.mixed_content.upgrade_display_content` preference to `true` to allow HTTP fetching and display of upgradable content.Firefox: Set `security.mixed_content.block_display_content` preference to `true` to block all mixed content.Firefox for Android: Set `security.mixed_content.upgrade_display_content` preference to `true` to allow HTTP fetching and display of upgradable content.Firefox for Android: Set `security.mixed_content.block_display_content` preference to `true` to block all mixed content.
http.mixed-content.auto_upgrade_video_audio 📋	Firefox	6/11/2024	646	Firefox: Set `security.mixed_content.upgrade_display_content` preference to `true` to allow HTTP fetching and display of upgradable content.Firefox: Set `security.mixed_content.block_display_content` preference to `true` to block all mixed content.Firefox for Android: Set `security.mixed_content.upgrade_display_content` preference to `true` to allow HTTP fetching and display of upgradable content.Firefox for Android: Set `security.mixed_content.block_display_content` preference to `true` to block all mixed content.
http.mixed-content.block_mixed_downloads 📋	Firefox	7/13/2021	1710
http.status.103.preload	Firefox	2/20/2024	758
http.status.425 📋	Firefox	1/23/2018	2977

API

First Browser

Date

Days in Limbo

Notes

http.headers.Access-Control-Allow-Headers.authorization_not_covered_by_wildcard

Firefox

7/4/2023

989

http.headers.Activate-Storage-Access 📋

Firefox

1/13/2026

http.headers.Authorization.Digest.SHA-256

Firefox

10/5/2021

1626

http.headers.Content-Security-Policy.block-all-mixed-content

Safari

9/20/2016

3467

Chrome: Will be removed, see bug 40260100.Chrome Android: Will be removed, see bug 40260100.Edge: Will be removed, see bug 40260100.Quest Browser: Will be removed, see bug 40260100.Opera: Will be removed, see bug 40260100.Opera Android: Will be removed, see bug 40260100.Samsung Internet: Will be removed, see bug 40260100.WebView Android: Will be removed, see bug 40260100.

http.headers.Content-Security-Policy.form-action.blocks_redirects

Safari

4/12/2018

2898

http.headers.Content-Security-Policy.prefetch-src

Safari

1/23/2023

1151

http.headers.Content-Security-Policy.require-trusted-types-for 📋

Safari

9/15/2025

185

http.headers.Content-Security-Policy.script-src.inline-speculation-rules

Safari

12/12/2025

http.headers.Content-Security-Policy.script-src.trusted-types-eval 📋

Safari

9/15/2025

185

http.headers.Content-Security-Policy.trusted-types 📋

Safari

9/15/2025

185

http.headers.Cross-Origin-Embedder-Policy.credentialless 📋

Firefox

10/24/2023

877

http.headers.Cross-Origin-Opener-Policy.noopener-allow-popups 📋

Safari

3/31/2025

353

http.headers.DNT

Firefox

3/22/2011

5476

http.headers.Early-Data 📋

Firefox

1/23/2018

2977

http.headers.Idempotency-Key 📋

Firefox

2/4/2025

408

Firefox: Automatically adds a unique 64-bit key for POST requests when needed, if not set in JavaScript.

http.headers.Integrity-Policy 📋

Firefox

11/11/2025

128

Firefox: Reporting endpoints are ignored (violations are logged to console).Firefox for Android: Reporting endpoints are ignored (violations are logged to console).

http.headers.Integrity-Policy.blocked-destinations_script 📋

Firefox

11/11/2025

128

http.headers.Integrity-Policy.blocked-destinations_style 📋

Firefox

8/19/2025

212

http.headers.Integrity-Policy-Report-Only 📋

Firefox

11/11/2025

128

Firefox: Reporting endpoints are ignored (violations are logged to console).Firefox for Android: Reporting endpoints are ignored (violations are logged to console).

http.headers.Integrity-Policy-Report-Only.blocked-destinations_script 📋

Firefox

11/11/2025

128

http.headers.Integrity-Policy-Report-Only.blocked-destinations_style 📋

Firefox

8/19/2025

212

http.headers.Origin-Agent-Cluster 📋

Firefox

4/29/2025

324

http.headers.Priority 📋

Firefox

7/9/2024

618

http.headers.Report-To

Firefox

9/3/2024

562

http.headers.Sec-Fetch-Storage-Access 📋

Firefox

1/13/2026

http.headers.Sec-Fetch-User 📋

Firefox

7/13/2021

1710

http.headers.Sec-GPC 📋

Firefox

11/21/2023

849

Firefox: Opt-in to GPC using the Website Privacy Preference setting (about:preferences#privacy) checkbox 'Tell websites not to sell or share my data', or by setting the preference privacy.globalprivacycontrol.enabled to true.Firefox for Android: Opt-in to GPC using the Enhanced Tracking Protection toggle 'Tell web sites not to share & sell data', or by setting the preference privacy.globalprivacycontrol.enabled to true.

http.headers.Sec-Purpose 📋

Firefox

7/4/2023

989

http.headers.Sec-Purpose.prefetch

Firefox

7/4/2023

989

Chrome: Doesn't support Sec-Purpose for <link rel="prefetch">. In Chrome, the legacy Purpose: prefetch header is used to indicate a link request is a prefetch. See bug 40236973.Chrome Android: Doesn't support Sec-Purpose for <link rel="prefetch">. In Chrome Android, the legacy Purpose: prefetch header is used to indicate a link request is a prefetch. See bug 40236973.Edge: Doesn't support Sec-Purpose for <link rel="prefetch">. In Edge, the legacy Purpose: prefetch header is used to indicate a link request is a prefetch. See bug 40236973.Firefox: Sec-Purpose: prefetch replaces the non-standard X-moz: prefetch header that was used to indicate a link prefetch request in earlier versions.Firefox: Prefetch requests should also include the header Accept header string for navigations, but Accept: */* is sent instead.Firefox for Android: Sec-Purpose: prefetch replaces the non-standard X-moz: prefetch header that was used to indicate a link prefetch request in earlier versions.Firefox for Android: Prefetch requests should also include the header Accept header string for navigations, but Accept: */* is sent instead.Quest Browser: Doesn't support Sec-Purpose for <link rel="prefetch">. In Quest Browser, the legacy Purpose: prefetch header is used to indicate a link request is a prefetch. See bug 40236973.Opera: Doesn't support Sec-Purpose for <link rel="prefetch">. In Opera, the legacy Purpose: prefetch header is used to indicate a link request is a prefetch. See bug 40236973.Samsung Internet: Doesn't support Sec-Purpose for <link rel="prefetch">. In Samsung Internet, the legacy Purpose: prefetch header is used to indicate a link request is a prefetch. See bug 40236973.WebView Android: Doesn't support Sec-Purpose for <link rel="prefetch">. In WebView Android, the legacy Purpose: prefetch header is used to indicate a link request is a prefetch. See bug 40236973.

http.headers.Sec-Purpose.speculationrules

Safari

12/12/2025

http.headers.Sec-Speculation-Tags 📋

Safari

12/12/2025

http.headers.Server-Timing.trailer

Firefox

12/10/2019

2291

Firefox: Only the Server-Timing header is a recognized trailer, and it is only exposed to DevTools in the network Timing tab (bug 1403051). Developers cannot access trailers via the Fetch API or XHR.Firefox for Android: Only the Server-Timing header is a recognized trailer, and it is only exposed to DevTools in the network Timing tab (bug 1403051). Developers cannot access trailers via the Fetch API or XHR.

http.headers.Service-Worker-Navigation-Preload 📋

Safari

3/14/2022

1466

http.headers.Set-Cookie.SameSite.Lax_default

Firefox

9/3/2019

2389

http.headers.Set-Cookie.SameSite.none_requires_secure

Firefox

10/1/2024

534

http.headers.Set-Cookie.SameSite.schemeful

Firefox

7/28/2020

2060

http.headers.Set-Cookie.http_host-http_prefixes

Firefox

9/16/2025

184

Firefox: __Host-Http- is supported under its original name __HostHttp-. See bug 1982555.Firefox for Android: __Host-Http- is supported under its original name __HostHttp-. See bug 1982555.

http.headers.Set-Login 📋

Firefox

4/29/2025

324

http.headers.Speculation-Rules 📋

Safari

12/12/2025

http.headers.Trailer 📋

Firefox

12/10/2019

2291

http.headers.WWW-Authenticate.Digest.SHA-256

Firefox

10/5/2021

1626

http.headers.X-DNS-Prefetch-Control

Firefox

10/24/2006

7086

http.mixed-content.allow_file_urls 📋

Firefox

8/6/2013

4608

http.mixed-content.allow_localhost_url 📋

Firefox

12/15/2020

1920

http.mixed-content.allow_loopback_url 📋

Firefox

8/8/2017

3145

http.mixed-content.auto_upgrade_images 📋

Firefox

6/11/2024

646

Firefox: Set security.mixed_content.upgrade_display_content preference to true to allow HTTP fetching and display of upgradable content.Firefox: Set security.mixed_content.block_display_content preference to true to block all mixed content.Firefox for Android: Set security.mixed_content.upgrade_display_content preference to true to allow HTTP fetching and display of upgradable content.Firefox for Android: Set security.mixed_content.block_display_content preference to true to block all mixed content.

http.mixed-content.auto_upgrade_video_audio 📋

Firefox

6/11/2024

646

http.mixed-content.block_mixed_downloads 📋

Firefox

7/13/2021

1710

http.status.103.preload

Firefox

2/20/2024

758

http.status.425 📋

Firefox

1/23/2018

2977

Not yet stable

Summary

Unstable APIs

Raw Data

HTTP Data